Enable CORS

Question

Enable CORS

codefrau opened this issue 8 years ago · 12 comments

codefrau commented 8 years ago

Particularly on files.squeak.org and build.squeak.org.

krono commented 7 years ago

'k

Answer 1 · 2017-02-23T10:37:40.000Z

Can this be closed? See here.

Answer 2 · 2017-11-17T13:04:56.000Z

Maybe it did work at some point, but right now, the server does not send CORS headers.

This is Chrome's error message in SqueakJS: Failed to load http://files.squeak.org/5.1/Squeak5.1-16549-32bit/Squeak5.1-16549-32bit.zip: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.

And these are the headers I see:

$ whead  http://files.squeak.org/5.1/Squeak5.1-16549-32bit/Squeak5.1-16549-32bit.zip
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Fri, 17 Nov 2017 12:58:20 GMT
Content-Type: application/zip
Content-Length: 16215793
Last-Modified: Mon, 26 Sep 2016 09:25:23 GMT
Connection: keep-alive
ETag: "57e8e983-f76ef1"
X-Clacks-Overhead: GNU Terry Pratchett
Accept-Ranges: bytes

If this and #11 get fixed I could again directly link files from SqueakJS, which would be awesome :)

Answer 3 · 2017-11-17T14:20:52.000Z

This worked:
curl -H "Origin: http://try.squeak.org" -I http://files.squeak.org/5.1/Squeak5.1-16550-32bit/Squeak5.1-16550-32bit.zip

But this didnt:
curl -H "Origin: http://try.squeak.org/" -I http://files.squeak.org/5.1/Squeak5.1-16550-32bit/Squeak5.1-16550-32bit.zip

Fixed the regex.
(note: you need the origin...)

Answer 4 · 2017-11-17T17:20:06.000Z

It does not seem to work for localhost or for squeak.js.org. Does it have a very special list of allowed origins?

Answer 5 · 2017-11-17T18:37:28.000Z

jep: *.squeak.org

        location / {
		#enable CORS from *.squeak.org
		if ($http_origin ~ ^https?://([^/]+\.)?squeak\.org) { #hopefully this if won't affect try_files
			add_header 'Access-Control-Allow-Origin' '*';
			#See https://stackoverflow.com/questions/21104810/what-could-explain-the-browser-intermittently-not-loading-some-cors-crossorigin
			#why the value is * instead of #http_origin
		}
		try_files $uri @autoindex;

I just changed it to allow more than just the root path.
(I think @nicolas-cellier-aka-nice put it in there, but I'm not sure)

Answer 6 · 2017-11-17T19:38:34.000Z

Hi Tobias, its beyond my expertise and I think I'm not a contributor
https://github.com/squeak-smalltalk/squeak.org/graphs/contributors

Answer 7 · 2017-11-17T19:41:41.000Z

Hi Nicolas, that was just a guess. I also talked about the server/nginx configuration, nothing here on github. And yes, checking the admin-log yields that it was levente who helped with CORS.

Answer 8 · 2017-11-17T19:42:32.000Z

@bertfreudenberg do we need other hosts than *.squeak.org?

Answer 9 · 2017-11-17T23:03:24.000Z

@krono Yes. At the very least localhost (for debugging) and squeak.js.org. But why not unconditionally allow it? Why do we need to restrict it to certain origins?

Answer 10 · 2017-11-21T14:42:41.000Z

Dunno, Levente did that, most probably for good reasons. nevertheless, I included both.
please try again.

Answer 11 · 2017-11-21T21:09:39.000Z

Works for localhost and once we have HTTPS (#11) I'm sure it will work for squeak.js.org, too. Thanks!